Notifiable Data Breach Scheme starts on 22nd February 2018 — How well are you prepared?

Background

The focus on cyber security is rapidly increasing partly due to recent high-profile security breaches within major organisations and businesses. Evolving levels of sophistication, stealth, and reach of organised cyber-attacks requires more attention than ever before. Coupling cyber concerns with threats organisations face internally, cyber security now resides high on many corporate risk registers as a top concern for executives and business owners.

In response to the increase in cyber threats and activities, organisations require greater visibility and understanding into their current level of maturity. This in turn leads towards a process of strengthening the organisations controls to a more mature state that lends itself to cyber risk reduction.

In February 2017, the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, which amended the Privacy Act 1988, making it mandatory for companies and organisations (Government/ Non-Government) to report “eligible data breaches” to the ‘Office of the Australian Information Commissioner’ (OAIC) and any affected, ‘at-risk’ individuals.

The Privacy Act 1998 has been amended to encourage entities to uplift their current security posture to ensure personally identifiable information is protected in its entire ‘data life cycle’ and securely deleted when no longer required.

Overview

The ‘Notifiable Data Breach’ (NDB) scheme applies to most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’). To see if applies your organisations please refer to Privacy Act 1988.

The above entities must take reasonable steps to protect personally identifiable information they hold. This includes but is not limited to protection against malicious actions, such as theft or ‘hacking’, that may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure.

In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified. Some of the key facts from the ‘2017 Cost of Data Breach Study from Ponemon Institute’ and ‘Mandiant’ indicate:

  • It took businesses an average of 191 days to identify the data breach and an average of 66 days to contain the breach1;
  • Data breaches cost companies an average of $139 per compromised record2; and
  • Only 31% of organizations globally discovered IT security compromises through their own resources last year, according to Mandiant.
1, 2 Ponemon Institute© 2017 Cost of Data Breach Study – Australia

High profile security breaches in Australia

When it comes to data security breaches, last year saw 1792 data breaches, which led to almost 1.4 billion data records lost or stolen from organisations globally according to the Gemalto Breach Level Index.

In Australia, we saw a combined total of 15,899 cyber security incidents reported based on the Australian Cyber Security Centre (ACSC) Threat Report 2016 which included:

  • Threats to Government – Between 1 January 2015 and 30 June 2016, ASD, as part of the ACSC, responded to 1095 cyber security incidents on government systems, which were considered serious enough to warrant operational responses; and
  • Threats to Private Sector – Between July 2015 and June 2016, CERT Australia responded to 14,804 cyber security incidents affecting Australian businesses, 418 of which involved systems of national interest (SNI) and critical infrastructure (CI).

Some of the known ‘publicised’ high profile security incidents in Australia include:

  • Red Cross – 1.28 million blood donor records from 2010 published to a publicly facing website in Oct 2016;
  • Menulog – 1.1 million customer records compromised including names, Phone Numbers, Addresses and Order Histories in 2016;
  • NAB – 60,000 customer records was sent to the wrong website last December;
  • Big W – Personal details of Big W customers leaked online in Nov 2016;
  • David Jones & Kmart – An inherent vulnerability within the online portals of David Jones and Kmart was used to compromise customer records in late 2015; and
  • Telstra – Pacnet an Asian subsidiary of Telstra was compromised in 2015 in an attack affecting thousands of customers including federal government departments/ agencies.

For more information on how prepared Australian organisations (Government/ Private) are to meet the ever-growing cyber security threat, please look at the ACSC Cyber Security Survey 2016.

Does this apply to you & what is personal information?

This scheme applies to entities that have an obligation under Australian Privacy Principles (APP11) of the privacy act to protect Personally Identifiable Information (PII) it holds.

[(s 26W(1) (a)) – ‘Personal information’ (PII) is defined in s 6(1) of the Privacy Act to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not].

The term ‘personal information’ encompasses a broad range of information. A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. The following are all types of personal information:

  • ‘Sensitive information’; (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information)
  • ‘Health information’; (which is also ‘sensitive information’)
  • ‘Credit information’; financial information
  • ‘Employee record’ information; (subject to exemptions) and
  • ‘Tax file number information’.

Although not explicitly recognised as personal information under the Privacy Act, information may be explicitly recognised as personal information under other legislation.

Further, the definition of personal information is not limited to information about an individual’s private or family life, but extends to any information or opinion that is about the individual, from which they are reasonably identifiable. This can include information about an individual’s business or work activities.

  • Example-1. Customer name, phone number and email address are collected by a business or government agency to create a customer contact file. The customer contact file constitutes personal information, as he/she is the subject of the record.
  • Example-2: Information that a ‘person’ was born with foetal alcohol syndrome reveals that his/her biological mother consumed alcohol during her pregnancy. This information may therefore be personal information about ‘person’s mother’ as well as the ‘person’ itself.

For detailed information what constitutes personal information please click here.

Entities covered by the NDB scheme

Australian Government agencies (and the Norfolk Island administration) and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

Some small business operators (organisations with a turnover of $3 million or less) are also covered by the Privacy Act including:

  • Private sector health service providers. Organisations providing a health service include:
    • Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals;
    • Complementary therapists, such as naturopaths and chiropractors; and
    • Gyms and weight loss clinics.
  • Childcare centres, private schools and private tertiary educational institutions;
  • Businesses that sell or purchase personal information; and
  • Credit reporting bodies.

For more information about your responsibilities under the Privacy Act click here

Steps Entities Can Take

The reasonable steps entities should take to ensure the security of personal information will depend on their circumstances, including the following:

  • The nature of the entity holding the personal information;
  • The amount and sensitivity of the personal information held;
  • The possible adverse consequences for an individual;
  • The information handling practices of the entity holding the information;
  • The practicability of implementing the security measure, including the time and cost involved; and
  • Whether a security measure is itself privacy invasive.

The circumstances outlined above, will influence the reasonable steps that an organisation should take to destroy or de-identify/ classify personal information.

It is important that entities take reasonable steps to protect information they hold as a data breach could have very significant impact on their reputation and ongoing business operations.

The OIAC provides guidance on responsible steps organisations can undertake here.

Where to begin

A good starting point will be to look at the Privacy management framework (Framework) which provides steps the OAIC expects you to take to meet your ongoing compliance obligations under APP 1.2.

Below are some of the steps Entities can take to increase the security posture and comply with the Australian Privacy Principles (APP11)

  • Step 1: Entities can embed a culture of privacy and compliance by:
    • Treating Personal Information as valuable; (the first step is to classify unstructured data)
    • Assigning accountabilities to an individual to manage privacy;
    • Adopting Privacy by design principles in all projects and decisions;
    • Develop and implement privacy management plans that aligns with business objectives and privacy obligations; and
    • Implement a reporting structure and capture non–compliance incidents.
  • Step 2: Entities can establish a robust and effective privacy practices, procedures & systems by:
    • Keep information up to date irrespective of its physical location or third parties;
    • Develop and maintain a clearly articulated and up to date privacy policy which aligns with your privacy obligations; (This includes all information security polices as most of the information security policies are interlinked so it’s very important to have an up to date set of information security policies)
    • Develop and maintain processes to ensure you are handling personal information in accordance with your privacy obligations; (This includes how information is handled in its entire life-cycle: In-Transit, In-Use and At-Rest)
    • Perform a risk assessment to identify, assess and manage privacy risks across the business;
    • Undertake Privacy Impact Assessments (PIA) to make sure you are compliant with the privacy laws; and
    • Develop a data breach response process or a Security Incident Response Plan (SIRP) which will guide/ assist you to respond effectively in case of a data breach.
  • Step 3: Evaluate your privacy practices, procedures and systems (assurance)
    As security is a continuous improvement process, it is important to ensure all your practices, procedures, processes and systems are working effectively. Assurance activities should include:
    • Monitoring, review and measurement of all your privacy and compliance obligations against your privacy management framework; and
    • Risk assessments of third-party service providers and contractors;
  • Step 4: Enhance your response to privacy issues/ concerns
    • Use the results from Step 3 to update/ enhance and uplift your security and privacy risk profile, which includes your people, process and technology areas; and
    • Monitor and address new security risks and threats by implementing good system hygiene. A good starting point will be to implement recommendations from the Australian Signals Directorate, Australian Cyber Security Centre and CERT Australia, which provides mitigation strategies to help organisations mitigate cyber security incidents.

Whilst, the introduction of the new legislation is a good opportunity to evaluate and measure your organisation’s compliance with the Privacy Act provisions. It is also a good starting point for all organisations to continually assess the known state of risk from the ever-changing cyber threat landscape, by developing a maturity model, which can aid in further instances of cyber risk reduction.

If you need any help with the above recommendations, have a chat to us today and find out how Kloud/Telstra can help you overcome your specific NDB security/privacy obligations.

Category:
Security